Skip to main content
SpringerLink
Log in

Towards a European eID Regulatory Framework

Challenges in Constructing a Legal Framework for the Protection and Management of Electronic Identities

  • Chapter
  • First Online:
European Data Protection: In Good Health?

Abstract

Electronic Identity (eID) is a key driver for the growth of the EU economy and the completion of the Single Digital Market. Despite the proliferation of identity management systems, the various political declarations and initiatives in this area, the plethora of research projects and the wide array of advanced eID technologies, the creation of an encompassing, interoperable, pan-European eID scheme has not yet been accomplished. One fundamental reason for such state-of-affairs is the inadequacy of the current EU legal framework. In this context, the paper identifies a number of legal gaps and barriers in the EU legal framework that are arguably hindering the creation of a full-fledged pan European eID. Through such examination, the article underlines that an appropriate regulation regarding eID on a European level is lacking. Current EU law does not yet present a specific and appropriate legal framework for the management of digital identities, regulating the latter through principles, rules and concepts ‘borrowed’ from different EU legal instruments and national laws.

The views expressed in this article are purely those of the author and may not in any circumstances be regarded as stating an official position of the European Commission.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    See Appendix Terminology for the definition of the most relevant concepts and terms regarding electronic identity (eID) and electronic identity management (IDM) systems.

  2. 2.

    This has been the case of studies done in the ambit of research initiatives such as the ones led by the Porvoo e-ID Group, Stork, MODINIS, and the IDABC program, as well as studies such as the European Commission (2005), prepared by the eGovernment subgroup of the eEurope Advisory Group.

  3. 3.

    It is also important to bear in mind that the scope of this article is limited to the management of the digital identities of individuals or natural persons. I am fully aware that issues concerning the management of online identities for entities or objects (namely through RFID tags) are growing in importance, but these are outside the scope of this paper.

  4. 4.

    The analysis of the “specific barriers”, or better, the analysis of the legal gaps which derive from particular legal instruments in EU law vis-à-vis the need to effectively and comprehensively regulate eID—namely from the three most relevant European directives in such area (the Data Protection, the eSignatures, and the Services directives)—go beyond the scope of this article. Nevertheless, and just for cataloguing purposes, one could mention the shortcomings of the current identifiability model of the data protection legal framework and the need to regulate the processing of certain instances of non-personal data as legal gaps of the data protection directive regarding the need to regulate eID. For further details, see (Andrade 2011a). In terms of specific issues missing from the eSignature directive that need to be solved in order to attain a successful implementation of a pan-European eID scheme, one could mention the lack of issuance procedures and the lack of a definition concerning the content and verification of eID. In this sense, see (Myhr 2008).

  5. 5.

    In reality, the need for a balanced mix between law and technology is not new. This alliance has been widely advocated under the label of “privacy by design.” In this regard, the European Commission noted in 2003 that “…the use of appropriate technological measures is an essential complement to legal means and should be an integral part in any efforts to achieve a sufficient level of privacy protection.” In the context of eID and taking into account the need to achieve a sufficient level of identity protection, I believe that technology should also contribute to an “identity by design.”

  6. 6.

    Microsoft, Shibboleth, Liberty Alliance, Passel, Sxip and other technology companies and consortia have devoted efforts to building digital IDM systems and tools.

  7. 7.

    In effect, as the Modinis Interim Report observed: “A commonly heard remark is that for any given technical difficulty in the IDM sector the problem is not the unavailability of technical solutions, but rather an overabundance of possible solutions. Overlooking legal, cultural and socio-political perspectives, from a strictly technical point of view most hurdles to interoperate IDM systems would be fairly easy to overcome”. One may therefore conclude that the most difficult obstacles posed to the creation of a pan-European eID are not technical, but are derived from the different legal approaches and socio-political sensitivities of EU Member States.

  8. 8.

    In other words, the article does not focus directly on interoperable technical mechanisms and infrastructures enabling EU citizens to identify and authenticate themselves. The article, instead, focuses primarily on the legal framework that must be put into place in order to allow identification and authentication procedures to be carried out.

  9. 9.

    Many EU Member States such as Germany have in the recent times deployed large scale eID projects (see Graux et al. 2009, 120), many of which are presently underway.

  10. 10.

    Such strategic document envisages, moreover, specific and concrete actions in the field of eID. This is the case of Key Action 16, according to which the Commission will “[p]ropose by 2012 a Council and Parliament Decision to ensure mutual recognition of e-identification and e-authentication across the EU based on online ‘authentication services’ to be offered in all Member States (which may use the most appropriate official citizen documents—issued by the public or the private sector)”.

  11. 11.

    In such Action Plan, the Commission has proposed a European Strategy on IDM to be attained by 2012, which includes legislative proposals on criminalization of identity theft and on electronic identity (eID) and secure authentication systems.

  12. 12.

    Such as the Manchester Ministerial Declaration (2005) and the Lisbon Ministerial Declaration (2007).

  13. 13.

    Such as the recent Communication from the European Commission (2010d).

  14. 14.

    Namely the following studies: Commission, “Signposts Towards e-Government 2010.”.

  15. 15.

    Such as the Stockholm Program, which defines the framework for EU police and customs operation, rescue services, criminal and civil law cooperation, asylum, migration and visa policy for the period 2010–2014.

  16. 16.

    http://petweb2.projects.nislab.no/index.php/Main_Page

  17. 17.

    http://www.vaestorekisterikeskus.fi/vrk/fineid/home.nsf/pages/6F4EF70B48806C41C225708B004A2BE5

  18. 18.

    This is the case of the Directive on Services in the Internal Market (2006/123/EC), which article 8 constitutes an example of the necessity of interoperable eID, stating that “[…] all procedures and formalities relating to access to a service activity and to the exercise thereof may be easily completed, at a distance and by electronic means […].”

  19. 19.

    In effect, “[t]he Internet has an ID infrastructure often identifying only the endpoint of a communication: IP addresses. These are often unreliable to identify users” (Leenes et al. 2008, 1).

  20. 20.

    This does not necessarily mean that unique identification numbers cannot be used in these countries, but that their use should be restricted to a specific context. In this way, countries tend to decree the use of separate sectoral identifiers (namely for tax and social security purposes). The use of sector based identifiers is, in effect, finding increasing adoption, partly as a consequence of the above mentioned constitutional restrictions.

  21. 21.

    Four main models of IDM systems can be identified within the massive proliferation of eID systems: the “siloed”, the centralized, the federated and the “user-centric” IDM systems. For a detailed explanation of each of them, see OECD (2009, 16–17).

  22. 22.

    One should bear in mind, though, that, in some circumstances, these different actors can coincide in the same entity. For example, an identity provider can also be an authentication authority, and a registration authority might also be an identity provider.

  23. 23.

    The basic principle underpinning legal basis was expressed in Case 45/86, Commission v. Council (Generalized Tariff Preferences) where the ECJ expressed the opinion that: “the choice of a legal basis for a measure may not depend simply on an institution’s conviction as to the objective pursued but must be based on objective factors which are amenable to judicial review.”

  24. 24.

    In the case of delegated legislation, those references are located in an enabling legislative act.

  25. 25.

    In more detail, such three categories are the following: Exclusive competence, according to which only the EU can legislate and adopt legally binding acts, the Member States being able to do so only if empowered by the EU or for the implementation of EU acts; Shared competence, which constitutes a ‘general residual category,’ (Craig 2008, 8), it provides that the EU shall share competence with Member States where the Treaties confer on it a competence which does not relate to the areas referred in articles 3 and 6 TFEU (such dispositions deal, respectively, with the category of exclusive competence and with the competence according to which the EU is restricted to taking action to support, co-ordinate, or supplement the action of the Member States); Competence to support, co-ordinate, or supplement, which allows the EU to take action to support, co-ordinate or supplement the actions of the Member States, without thereby superseding their competence in these areas, and without entailing harmonization of Member State law (article 2(5) TFEU).

  26. 26.

    Article 77(3) TFEU: “If action by the Union should prove necessary to facilitate the exercise of the right referred to in Article 20(2)(a), and if the Treaties have not provided the necessary powers, the Council, acting in accordance with a special legislative procedure, may adopt provisions concerning passports, identity cards, residence permits, or any other such document. The Council shall act unanimously after consulting the European Parliament.”

  27. 27.

    This is the case of the Modinis-IDM-Consortium (2006) Modinis Deliverable: D.3.9 IDM Issue Interim Report II1. In addition, the Modinis project developed a specific Terminology Paper (Modinis-IDM-Consortium 2005).

  28. 28.

    See Appendix Terminology for an overview of the terminology use in the field of eID.

  29. 29.

    The basic principles are listed in article 6 of the Data Protection Directive (DPD), and include the requirements that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes, and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical, or scientific use. Apart from these basic principles, article 7 of the DPD delineates the conditions under which personal data may be processed, amidst which we stress the requisite that “the data subject has unambiguously given his consent”.

  30. 30.

    Such as the EU/EC programs, commissioned studies, action plans, agendas, and research projects promoted in the eID area and mentioned in sect. 2.

  31. 31.

    In terms of concrete proposals for the achievement of a pan-European eID scheme, Thomas Myhr presents two concrete action proposals that the European Commission could take into consideration in order to achieve cross-border interoperability: (i) setting up requirements for Validation Authorities and self-declaratory schemes and (ii) setting up a quality classification system, where different national security levels can be mapped against neutral requirements adopted by the European Commission. See Myhr (2008).

  32. 32.

    That is, “the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes”.

  33. 33.

    As examples of governments’ legitimate interest in accessing and sharing personal data, Mary Rundle lists the following: “For example, in fighting cybercrime, governments want authority to require Internet service providers to hand over subscriber information, among other data. To facilitate travel, governments have agreed to certain standards for a global system of electronic identity information. For taxation of international e-commerce, OECD members are seeking reliable ways to identify taxpayers. To counter the financing of terrorists or other criminals, governments seek to ensure that information on originators of wire transfer is available”.

  34. 34.

    The PRIME research project, in its technical proposals and prototypes for privacy-identity management tools, envisaged three central means of controlling multiple partial identities: tracking one’s data trail, support for rights enforcement and policy enforcement. See Ibid.

  35. 35.

    The TURBINE project aims to develop innovative digital identity solutions, combining the secure, automatic user identification thanks to electronic fingerprint authentication; and reliable protection of biometric data through advanced cryptography technology. For further information, see http://www.turbine-project.eu/

  36. 36.

    Ibid.

  37. 37.

    As remarked in the PRIME project White paper: “If I know your name, I can try to get data about you through all sort of channels, which is much more difficult if I only know your transaction pseudonym ghT55897” (Ibid).

  38. 38.

    There are mechanisms to reveal the identity of users when warranted and under strict conditions. As a concrete proposal, it is suggested that “[o]ne of these conditions would be the use of a trusted third party that is contractually bound to reveal the civil identity of the user under certain circumstances.”

  39. 39.

    De-anonymization of data is becoming a recurrent phenomenon, posing new risks to privacy.

  40. 40.

    In also observing the principle of unlinkability, the same study points out that the Czech republic plans to implement a similar system to the Austrian one, “based on the introduction of a ‘basic personal identifier’, which will be used to derive a set of personal identifiers for specific contexts, so that each individual will be identified by a different identifier in each context” (Ibid)., avoiding thus for different eIDs to be cross-related and linked.

  41. 41.

    See (Leenes et al. 2008, 3).

  42. 42.

    Ibid., 7.

  43. 43.

    Ibid., 10.

  44. 44.

    For more information on which countries surveyed in the PEGS study subscribed to an authentication source principle and to what extent that this principle has impacted their identity management policies, see (Graux et al. 2009, 81–84).

  45. 45.

    In this context, see Poullet’s construction of a “new privacy right: the right to a privacy compliant terminal with a transparent and mastered functioning by its users”, in (Poullet 2010, 27)Such right, as heavily based on technological components and technical requisites embedded into terminal equipments, constitutes what I would call a derivation of the principle of technological assistance.

  46. 46.

    Member States have also implicitly introduced in their legislation the already alluded authentic source principle.

  47. 47.

    This section relies upon various studies that have provided detailed “glossary-type” definitions of the various terms and notions employed in the area of eID. This is the case of the FIDIS project, the MODINIS, PrimeLife, STORK and specific studies, such as Pfitzmann and Hansen (2010).

  48. 48.

    The distinction between full and partial identity I here propose presents a different nuance from the one advanced by Pfitzmann and Hansen regarding complete and partial identities: “A partial identity is a subset of attribute values of a complete identity, where a complete identity is the union of all attribute values of all identities of this person”, in (Pfitzmann and Hansen 2010, 31). While for these authors, partial identities may encompass attributes through which a person can be identified; I define partial identities as covering those attributes that do not necessarily identify a given person, classifying the ones that do as full identities. In sum, the difference between full and partial identities has to with identifiability, equating to the difference between information that relates to an identified or identifiable person, and information that does not.

  49. 49.

    have seen, this specific characteristic of the processing of eIDs enables the use of multiple identities by the same individual.

  50. 50.

    Though numbers (such as national register numbers, VAT numbers, certificate numbers, etc) are the most common (and, in fact, the default) form of unique identifier, “any sufficiently unique set of attributes pertaining to a specific entity can serve the exact same purpose” (Graux et al. 2009, 113).

  51. 51.

    (Graux et al. 2009, 113)As we shall see, it is based on this type of authentication that I will argue in favor of a principle of multiple identities.

  52. 52.

    Typical use cases of an interoperable eID, which are currently being developed by Stork, “are when a citizen of country X can use the electronic identity and authentication scheme of his or her home country for a license application, or when a student from country Y can register for a scholarship in country X with her home authentication scheme, without a need to register herself in country Y” (Leenes et al. 2009, 16).

  53. 53.

    “Biometrics are measurable biological and behavioral characteristics and can be used for strong online authentication. A number of types of biometrics can be digitized and used for automated recognition. Subject to technical, legal, and other considerations, biometrics that might be suitable for IDM use include fingerprinting, facial recognition, voice recognition, finger and palm veins”, (OECD 2009, 7).

  54. 54.

    From a more technological perspective, the technical solution most commonly used in electronic communication identifying the person/holder of eID is PKI (public key infrastructure), which uses a pair of ‘keys’: a public key used for signing an electronic document and a private key linked to a certificate and used by the receiver to validate the signature. In this way, PKI can be used to detect if a document has been changed without authorization after it was sent. In addition, eIDs “may be stored on smart cards or other devices but may also be received from a central authority during an authentication process” (Leenes et al. 2009, 16).

References

  • Andrade, Norberto Nuno Gomes de. 2011a. Data protection, privacy and identity: Distinguishing concepts and articulating rights. In Privacy and identity management for life: 6th Ifip Wg 9.2, 9.6/11.7, 11.4, 11.6/Primelife International Summer School, Helsingborg, Sweden, August 2–6, 2010, revised selected papers, eds. S. Fischer-Hübner, P. Duquenoy, M. Hansen, R. Leenes and G. Zhang, 90–107. Berlin: Springer.

    Google Scholar 

  • Andrade, Norberto Nuno Gomes de. 2011b. The right to privacy and the right to identity in the age of ubiquitous computing: friends or foes? A proposal towards a legal articulation. In Personal data privacy and protection in a surveillance era: Technologies and practices, eds. C. Akrivopoulou and A. Psygkas, 19–43. Hershey: Information Science Publishing.

    Google Scholar 

  • Article 29 Data Protection Working Party. 1999. Recommendation 1/99 on invisible and automatic processing of personal data on the internet performed by software and hardware.

    Google Scholar 

  • Craig, Paul. 2008. The treaty of Lisbon, process, architecture and substance. European law review 33 (2): 137–66.

    Google Scholar 

  • Dumortier, Jos. 2003. Legal considerations with regard to privacy protection and identity management in the information society. 112e rapport annuel, hochschüle für technik und architektur biel, tilt 15: 66–69.

    Google Scholar 

  • European Commission. 2003. First report on the implementation of the data protection directive (95/46/EC). Brussels.

    Google Scholar 

  • European Commission. 2005. Signposts towards eGovernment 2010.

    Google Scholar 

  • European Commission. 2007. A roadmap for a pan-European eIDM framework by 2010—V.1.0.

    Google Scholar 

  • European Commission. 2010a. Delivering an area of freedom, security, and justice for Europe’s citizens: Action plan implementing the Stockholm programme. Brussels.

    Google Scholar 

  • European Commission. 2010b. A digital agenda for Europe.

    Google Scholar 

  • European Commission. 2010c. Europe 2020: A strategy for smart, sustainable and inclusive growth. Brussels.

    Google Scholar 

  • European Commission. 2010d. Towards interoperability for European public services.

    Google Scholar 

  • European Commission. 2010e. A comprehensive approach on personal data protection in the European union. In European Commission. Brussels.

    Google Scholar 

  • Graux, Hans, Jarkko Majava, and Eric Meyvis. 2009. eID interoperability for PEGS—update of country profiles—analysis & assessment report.

    Google Scholar 

  • Jones, Andy, and T. Martin. 2010. Digital forensics and the issues of identity Information security technical report 1–5.

    Google Scholar 

  • Leenes, Ronald, Jan Schallaböck, and Marit Hansen. 2008. Prime (privacy and identity management for Europe) white paper.

    Google Scholar 

  • Leenes, Ronald, Bart Priem, Carla van de Wiel, and Karolina Owczynik. 2009. Stork—towards pan-European recognition of electronic IDs (eIDs)—D2.2—report on legal interoperability.

    Google Scholar 

  • Lisbon Ministerial Declaration, eGovernment Conference. 2007. Reaping the Benefits of eGovernment of the PortuguesePresidency of the European Council and of the European Commission. Accessed 19 Sept 2007, Lisbon, Portugal.

    Google Scholar 

  • Manchester Ministerial Declaration, eGovernment Conference. 2005. Transforming Public Services of the United Kingdom Presidency of the European Council and of the European Commission. Accessed 24 Nov 2005, Manchester, United Kingdom.

    Google Scholar 

  • Modinis-IDM-Consortium. 2005. Modinis Study on identity management in eGovernment. Common terminological framework for interoperable electronic identity management—Consultation Paper V.2.01.

    Google Scholar 

  • Modinis-IDM-Consortium. 2006. Modinis study on identity management in eGovernment, identity management issue interim report II1.

    Google Scholar 

  • Myhr, Thomas. 2008. Legal and organizational challenges and solutions for achieving a pan-European electronic ID solution or I am 621216–1318, but I am also 161262–43774. Do you know who I am? Information security technical report 13 (2): 76–82.

    Article  Google Scholar 

  • Nabeth, Thierry. 2009. Identity of Identity. In The future of identity in the information society: Challenges and opportunities, eds. Kai Rannenberg, Denis Royer and André Deuker, 19–69. Berlin: Springer.

    Google Scholar 

  • OECD. 2007. OECD recommendation on electronic authentication and OECD guidance for electronic authentication.

    Google Scholar 

  • OECD. 2009. The role of digital identity management in the internet economy: A primer for policy makers.

    Google Scholar 

  • Ohm, Paul. 2009. Broken promises of privacy: responding to the surprising failure of anonymization. University of Colorado law legal studies research paper no. 09–12 (2009).

    Google Scholar 

  • Pfitzmann, Andreas, and Marit Hansen. 2010. A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management (version V0.34).

    Google Scholar 

  • Poullet, Yves. 2010. About the e-privacy directive: towards a third generation of data protection legislation? In Data protection in a profiled world, eds. S. Gutwirth, Y. Poullet and P. de Hert, 3–30. Dordrecht: Springer.

    Chapter  Google Scholar 

  • Reflection group on the Future of the EU 2030. 2010. Project Europe 2030. Challenges and opportunities—a report to the European council by the reflection group on the future of the EU 2030.

    Google Scholar 

  • van Rooy, Dirk, and Jacques Bus. 2010. Trust and privacy in the future internet—a research perspective. IDISidentity in the information society 3 (2): 397–404.

    Article  Google Scholar 

  • Rundle, Mary. 2006. International personal data protection and digital identity management tools. Berkman Center research publication no. 2006–06.

    Google Scholar 

Download references

Acknowledgements

Thanks to Ioannis Maghiros for very helpful comments.

Author information

Authors and Affiliations

  1. Institute for Prospective Technological Studies (IPTS), European Commission, Joint Research Center (JRC), Seville, Spain

    Norberto Nuno Gomes de Andrade

Authors
  1. Norberto Nuno Gomes de Andrade
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Norberto Nuno Gomes de Andrade .

Editor information

Editors and Affiliations

  1. Pleinlaan 2, Brussel, 1050, Belgium

    Serge Gutwirth

  2. , TILT, Tilburg University, Warandelaan 2, Tilburg, 5037 AB, Netherlands

    Ronald Leenes

  3. Center for Law, Science, Technology, and Society Studies (LSTS), Vrije Universiteit Brussel, Pleinlaan 2, Brussels, 1050, Belgium

    Paul De Hert

  4. Research Centre for Information, Technology & Law, University of Namur, Rempart de la Vierge 5, Namur, 5000, Belgium

    Yves Poullet

Appendix: Terminology

Appendix: Terminology

This annex provides a general overview of the most relevant concepts, terms, and notions regarding electronic identity (eID) and electronic identity management systems (eIDM).Footnote 47 It lays down the terminological grounds on which the legal analysis provided in the article is based.

The processing of electronic identities involves a wide array of technical terms that must be clarified in order to understand what the creation of a pan-European eID entails and implies. In fact, in order to discuss the creation of a European electronic identity and the legal challenges to such an endeavor, we need first to understand what electronic identity is. In order to comprehend the notion of electronic identity, we also need to understand other related and important concepts and processes, such as attributes, credentials, identification, authorization , and partial ident i ties.

Starting with the basics, we should first distinguish between an entity and a quality. Any specific entity (a human being, for instance) has a number of qualities or attributes. The sum of these attributes make up one’s identity (namely one’s exact identity).Footnote 48 The notion of attribute is of utmost importance because, depending on the context or on the attribute in question, it can refer to a full identity (when it is used to unequivocally identify a given individual) or to a partial identity (when it refers to an identity characteristic of a given person without revealing his/her full or entire identity, (Pfitzmann and Hansen 2010, 31) that is, without identifying him/her in absolute terms).Footnote 49

Another important term is identifier . A unique identifier can be defined as “an attribute or a set of attributes of an entity which uniquely identifies the entity within a certain context” (Graux et al. 2009, 113).Footnote 50 Two classes of identifiers can be distinguished which are primary digital identifiers, which are directly connected to a person (name, address, mobile phone number, password, or electronic signature) and secondary digital identifiers, which are not directly connected to an individual (cookies, IP addresses, or RFID tag numbers).

Also relevant is the notion of identity claims, which is intimately connected with credentials. In the offline world, claims that an individual is of certain age or lives at a given address are certified by third parties, namely by the State when it issues certificates supporting these claims (e.g., passport, ID card, or driver’s license). In the online world, there are entities specifically designated for the certification of identity claims. “[O]nline certifiers can, by means of cryptographic techniques (security tokens), vouch for certain claims in a secure manner that cannot be tampered with” (Leenes et al. 2008, 8). While paper-ID aims to identify physically present individuals, electronic ID provides credentials to enable citizens to remotely identify themselves. While conventional ID functions on the basis of personal appearance and paper-based proof of identity (certificates, identity cards, showing one’s signature or photograph), eID is based upon more complex processes and mechanisms.

Such processes of identity recognition are developed and carried out by identity management (IDM) systems . The overall objective of eIDM systems is to associate information with people, enabling transactions between different parties in an ecosystem of mutual confidence and trust. IDM, at a more general level, can be defined as “[s]ystems and processes that manage and control who has access to resources, and what each user is entitled to do with those resources, in compliance with the organization’s policies (Leenes et al. 2008, 1).” On the administrators’ side, IDM systems allow organizations, businesses, companies, and institutions to grant, control, and manage user access to information, applications, and services over a wide range of network services. This access is conducted through authentication methods (passwords, digital certificates, hardware or software tokens) and authorization rights. On the users’ side, IDM systems provide (or should provide) them with the necessary tools to manage their identities and control the use of their personal data. IDM systems can widely vary in terms of applications requiring different degrees of identification, access control, and credentials.

The functioning of IDM systems involves two main processes or components which are identification and authentic a tion.

While the purpose of identification is to “link a stream of data with a person,” (Myhr 2008, 77) the process of authentication can be defined as “the corroboration of the claimed identity of an entity or of a set of its observed attributes” (Graux et al. 2009, 113). In this respect, a distinction can be made between an authentication process that determines one’s exact identity and an authentication process that determines one’s specific quality or attribute (partial identity). In the latter situation, a given application authenticates the entity only to verify whether he or she has a specific required quality (such as being an adult, being a resident of a given region, city, etc).Footnote 51 The process is thus carried out without revealing or knowing who exactly the person is. “The application determines the entity’s status, not his/her identity.” (Graux et al. 2009, 113)In the other situation, the application authenticates one person by determining his/her exact identity. Here, authentication processes sufficient information to distinguish and select one individual from all others, one specific person out of all mankind.

In other words, the authentication process corresponds to the verification of the authenticity of an identity. Authentication must effectively prove that a person has indeed the identity that he/she claims to have. In this way, the authentication process requires elements/instruments such as identity cards, passports, or a key (proving to a technical infrastructure the right to access). In brief, authentication is the process of associating and permitting a specific identity or set of identity-related credentials to access specific services.

The authentication phase thus requires the presentation of a credential , i.e., “data that is used to authenticate the claimed digital identity or attributes of a person (OECD 2007, 12). Examples of digital credentials include an electronic signature, a password, a verified bank card number, a digital certificate, or a biometric template (OECD 2009, 6). Several actors can be identified in the authentication process of electronic identities. Within the eGovernment area, and as explained in one of the deliverables of the STORK project:

the eID process generally comprises five roles, which will be present in most Member States’ eID models. First of all, there is an (1) authority that registers the citizen that wants to obtain an eID. This authority is related to the (2) organization that provides an electronic token and the credentials (hence, the eID) that can be used in eGovernment authentication. In addition, the process of authentication comprises the role of (3) an authority that authenticates the token that is used by the citizen. Next to the authenticating party, there is (4) a relying party that depends on this electronic authentication for the purpose of interaction or transaction, e.g. in the eGovernment service. Of course, there is also (5) an entity that claims a particular identity (e.g., the citizen or a delegate) (Leenes et al. 2009, 25–26).

In a European context, the concept of interoperability is of paramount importance. Electronic identities will have little value for free movement of persons, goods, services and capital, and the stated objectives of constructing a fully operational single digital market, if they are not recognizable outside national borders and across different EU Member States. Interoperability is generally defined as “the ability of a system or a product to work with other systems or products without special effort on the part of the user, covering both the holder of the eID and the counterparty on the receiving end of electronic communication” (Myhr 2008, 77). It has both technical and legal/organizational dimensions.

A pan-European eID can be roughly defined as an “eID issued to persons, mainly natural persons but also legal persons (enterprises, etc.), which can be used in cross-border transactions, and is accepted by all states within the EU (Myhr 2008, 77).” A pan-European eID is closely connected to the notion of interoperability, which “mainly comprises the possibility of a citizen from one country to use the authentication system from this country to have access to an application in another country” (Leenes et al. 2009, 15).Footnote 52

To conclude, and in line with previously mentioned proposals for an eID terminology, (Pfitzmann and Hansen 2010), the term eIdentity is used in this paper to indicate a set of personal information and data relevant to a human’s identity when stored and transmitted via electronic systems, including but not limited to computer networks (that is, digitized). Taking into account that, in the offline world, an identity is established from an extensive set of attributes associated with an individual (e.g., name, height, birth date, employer, home address, passport number), it is relevant to note that, in the online world, an individual identity can be established by combining both real world and digital attributes (OECD 2009, 6) (such as passwords or biometricsFootnote 53). Electronic identities are thus identities that are constructed out of the various identity-attributes related to a given person (which together compile his/her identity information), processed electronically by technically supported IDM systems, and that are then recognized by public and private entities (such as national governments and private companies) (Leenes et al. 2009, 16).Footnote 54

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer Science+Business Media B.V.

About this chapter

Cite this chapter

de Andrade, N. (2012). Towards a European eID Regulatory Framework. In: Gutwirth, S., Leenes, R., De Hert, P., Poullet, Y. (eds) European Data Protection: In Good Health?. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-2903-2_14

Download citation

Publish with us

Policies and ethics

Search

Navigation